Our modern lifestyles have come to depend on the convenience of technology on an unprecedented level. Many of us are old enough to remember having to physically go to a bank to update our bank books to see what transactions had passed in our accounts, and to get cash to pay for things.
Then, here in Canada, we saw the arrival of ABMs in 1984 through the Interac network. It was revolutionary! You could walk up to any of your bank’s ABMs, insert a card, and update your bank book or withdraw cash! 1994 saw the arrival of Interac Debit – wow! Going to a store and being able to pay for your purchases by using a debit card – how convenient!
Interac brought many improvements over the years, of course:
- 2003: eTransfers via email
- 2004: the ability to make debit payments in the US
- 2010: Flash payments, with just the tap of a card
By 2018 we were able to load our debit card into our mobile phones and pay using NFC, and many more advances since then. View Interac’s history here.
Online and mobile banking evolved, and today we couldn’t imagine living without the convenience of these technologies.
But this convenience demands something of consumers.
Responsibility.
Let me say it again:
Convenience. Demands. Responsibility.
If consumers want to benefit from the convenience of modern banking, then they also need to proactively participate in protecting themselves.
Just in the past week, I have come across two news items where consumers want to blame banks for having been victims of fraud. They get phished, cyber-badguys steal money from their accounts, and they demand that the banks refund them.
The first story is about 140 Bank of Montreal (BMO) customers across Canada considering a class-action lawsuit against the bank, claiming that together, they have lost over $1,5M dollars to cyber-badguys.
The Ombudsman for Banking and Investment Services sides with BMO, saying that “in most of these cases, we are not able to recommend that the bank pay compensation to the consumer because our investigations show the consumer has unknowingly shared or given access to their confidential information and the bank has complied with its obligations”.
However, on BMO’s security page, the warning at the top of the page is quite clear:
BMO has an entire section of their site dedicated to security, with multiple (very good!) tips on how to protect yourself: BMO Security Center.
Another story came out about an individual on Montreal’s South Shore who was defrauded of over $2,200 on Scotiabank’s Tangerine online banking service. He received a call from a “Tangerine customer service member” who tells him his card has been used in the UK. The “agent” asks him for his card number, expiration date, and the three-digit security code on the back, which he provides to her. After the call, he logs into his bank account, only to notice that a transaction has gone through in a German travel agency.
The bank refused to refund the money, citing “serious fault” on the part of the customers.
The customer, of course, claims that “I have not committed any serious fault. I am the victim of a ploy”.
Yes, but…
Tangerine’s security section on their site is also very clear: never share such information to anyone!
Why should the banks be responsible for refunding people who have not followed best practice guidelines? Why are some people asking that “the government” legislate the banks to improve security, apart from “because we want governments to legislate and control every aspect of our lives”? Do they think that having MORE legislation will make customers more responsible? Because THAT is what’s really needed.
Now, clearly, I side with the banks on these issues; however, in a recent TV interview, I also stated that the banks COULD do more to protect their customers. As mentioned earlier, all this technology is greatly convenient, but I admit that we haven’t found a way to make security easy. So, what could the banks do in the short term to help customers protect themselves?
Well, to begin with, they could ENFORCE some of these security measures:
- It’s 2024 – make multifactor authentication obligatory! (And NOT via SMS, please!).
- Require long, complex passwords – maybe even make an API call to haveibeenpwned.com to see if the user’s password has ever been involved in a breach. If it has, refuse it and ask the user to choose another password.
- Don’t ask the user to “sign up” for banking alerts – PUSH THEM OUT! Any unusual activity should send a notification to the user.
- Consider implementing passkeys, as these are considered anti-phishing methods.
All we hear about these days is AI; my guess (hope?) is that banks are already looking at how they can leverage AI to implement better protections on customer accounts, but ultimately, I doubt they will ever be able to completely protect customers who refuse to accept responsibility.